The Trade and Cooperation Agreement – What does this mean for Data Protection?
At 11pm on 31 December 2020, the Brexit transition period came to an end. A few days prior to this, on 24 December 2020, the UK Government and the EU Commission announced that a deal had been agreed on the future of the EU-UK relationship and that the Trade and Cooperation Agreement (TCA) had been finalised.
Is the UK still subject to the General Data Protection Regulation (GDPR) now that the Brexit transition period has come to an end?
The GDPR provided a harmonised legal framework regulating the way in which personal data is collected, used and shared throughout the EU (EU GDPR).
From 1 January 2021 the EU GDPR will cease to have direct effect in the UK and the UK will no longer be regulated domestically by the EU GDPR. Instead, the UK has passed its own version into law, known as the United Kingdom General Data Protection Regulation (UK GDPR). The UK GDPR is for the most part parallel to the EU GDPR. However, the UK GDPR will apply as an independent law.
Whilst the two regimes will generally correspond, businesses that offer goods and services in both the UK and the EU will still need to consider how to manage privacy compliance under both the UK GDPR and the EU GDPR due to the extra-territorial reach of both pieces of legislation. In essence, businesses with pan-European operations are likely to have to follow two separate, but similar, legislative regimes, with the consequential risk of dual enforcement action (by EU Data Protection Authorities in the EU and the Information Commissioner’s office (ICO) in the UK in the event of any breach).
What has been agreed in respect of data transfers?
In our last update, we looked at some of the issues regarding data transfers between the EU/EEA and the UK following the end of the transition period. It was hoped that the European Commission would confirm the UK to be a safe destination for personal data (a favourable adequacy decision) before the end of the transition period. Without an adequacy decision, businesses transferring data from the EU to the UK would need to include additional safeguards (such as standard contractual clauses) in their data transfer arrangements to continue to transfer personal data after 1 January 2021 in accordance with data protection law.
The TCA does not address the question of adequacy and whether the EU Commission deems the UK’s data protection regime ‘adequate’ (i.e. equivalent to the EU’s). Whilst a decision on adequacy may not be clear, the good news is that the TCA provides a ‘bridging mechanism’ which permits the continued free flow of personal data from the EU/EEA to the UK after the transition period for a specified time (conditional on the UK not changing its data protection legislation without the EU’s consent). This much needed grace period provides some short term relief by permitting the transfer of personal data without the need to impose additional safeguards for up to six months[1].
What happens if adequacy is not approved for the UK?
The European Commission’s adequacy assessment of the UK is continuing. With a commitment from both sides to ensure a high level of data protection and endeavouring to work together to promote high international standards[2] there is hope that a favourable adequacy decision for the UK will be forthcoming.
If adequacy is not approved businesses may need to rely on safeguards set out in the EU GDPR. These include:
- binding corporate rules (BCRs)
- standard contractual clauses (SCCs)
- certification and codes of conduct
- derogations (applying to EU data exporters only).
What should businesses be doing in respect of data transfer now?
For the moment, there are no changes to the way UK businesses may send personal data to the EU/EEA, Gibraltar and other countries deemed adequate by the EU. This means personal data can continue being transferred from the UK to these countries without the need for additional safeguards. However the government intends to review this.
For the period of the bridging mechanism UK businesses can continue to receive personal data from the EU/EEA. During this period the UK will not be considered a third country for the purposes of data protection. For now this means that the issues around the transfer of data have been stayed.
However, the ICO has suggested that UK businesses should work with any EU/EEA organisations transferring such data and prepare to put in place alternative mechanisms to safeguard against an interruption to data flow in the event that an adequacy decision is not given[3].
Do we have to appoint an EU Representative?
Nothing in the TCA seems to relax the requirement for UK businesses needing to appoint a GDPR representative inside the EU, which is required by Article 27 of the GDPR.
If a UK-based business has no establishment in the EU but offers goods or services to EU individuals or monitors their behaviour, it will need to consider whether it is required to appoint a representative in the EU because it is still subject to the EU GDPR.
Likewise, an EU-based business will need to consider whether it is required to appoint a representative in the UK because it is subject to the UK GDPR.
Should UK businesses be considering anything else?
UK businesses may need to update their privacy notices. These are likely to be minor amendments, for example, to update references to relevant laws (such as changing the EU GDPR references to the UK GDPR), UK-EU transfers and information relating to their EU representative (if applicable).
The above does not constitute legal advice nor does it consider a complete list of issues to consider in the context of the GDPR. Should you have any queries, please do not hesitate to contact the author of this article or your usual contact at Ince.
[1]This is for four months from the TCA entering into force, extended by two months unless one of the parties objects, or, if earlier, until there is an adequacy finding for the UK (FINPROV. 10A).
[2]Article COMPROV.10(1)
[3]See ICO website for further guidance.